we can make a delay default to 1 second and double it every failed attempt. we should add complexity. I would take a patch or add an issue in google code.
On Jul 12, 8:01 am, cjrh <caleb.hatti...@gmail.com> wrote: > I like the timeout/delay idea for a failed password, and I very much like > the IP block after a number of failed attempts, but I am not too fond of a > complexity requirement. During development on my local machine (bound to > localhost), my standard admin password is "a". I would have to have to deal > with a complexity checker during development; and if we then say it will be > enabled only for production but not dev, then we need more code and > error-handling to manage the distinction, and it all becomes a lot of work. > I think the safeguards that are currently in web2py are quite sufficient, > and we can improve it a little bit more by penalizing brute force on the > password, as pbreit pointed out is currently vulnerable.
